I'm trying to build out an EKS project in go, and I'm having some issues with credentials and providers. Wondering if anyone has tried this particular scenario yet. We have a Hashicorp Vault AWS credential backend already configured for this account. SO - I have pulumi grabbing some AWS credentials from Vault, building an AWS provider, and then using that for all of my AWS resources. This works well for most things (VPC created already, etc.) But, when I use pulumi-eks to build an EKS cluster with this provider, it fails to validate that the cluster is running. From the error messages, it appear that the pulumi operator (which is running this code), is trying to use its own credentials to access the cluster afterwards. SO, I think there's some issue with the Kubernetes provider that gets generated not using the AWS provider credentials that I used to create the cluster. At this point, I have no clue how to get around this, other than to not use the pulumi-eks library, and instead build out the cluster and node groups, etc. myself using the "standard" aws library. This would allow me to control the K8s provider that gets generated and the aws-auth configmap myself (I think) Am I missing something, or is that the correct path forward here? Also, let me know if I should post this in AWS or Go instead

Anyone have good patterns around getting AWS credentials into a K8s cluster?

I could obviously set them as secrets in the configfile, but was wondering if there was a way to grab them out of my local credentials file?

Is it for the aws account that your cluster is in? You could use IRSA or kube2iam to assume roles instead

More fun with pulumi-eks and the pulumi-kubernetes-operator -

Unable to connect to the server: getting credentials: exec plugin is configured to use API version <http://client.authentication.k8s.io/v1beta1|client.authentication.k8s.io/v1beta1>, plugin returned version <http://client.authentication.k8s.io/v1alpha1|client.authentication.k8s.io/v1alpha1>

I was able to fix this error locally by updating to a newer version of the awscli. I can't seem to find where this is defined for the pulumi containers. Any thoughts on a workaround, and/or should I file an issue somewhere for this?

Hi all, I'm trying to use the v3.Chart resource. However I'm running into an issue that I can't seem to replicate

--set-file

, used for a template that that replaces a value with the file's contents. If I 1) use a json object as the value, it blows up with

wrong type for value; expected string; got []interface {}

. If I try to pass a yaml string literal, pulumi helpfully escapes all the newlines so that doesn't work either. So wondering if anyone knows of a way to duplicate whatever helm template --set-file does.

Does anyone know why “health” checking is implicitly part of the “create” lifecycle for k8s objects? If health fails, it thinks that create fails, and the object doesn’t get stored in state. Subsequent runs fail with “already exists” error from kubernetes. I filed an issue: https://github.com/pulumi/pulumi-kubernetes/issues/1994 I think this is a fairly high priority / common use case.

Hey there! Posting my questions here because I think they are most relevant here, but if I should move this to another channel that's better suited, then let me know. I am building a component resource provider, in Go, for easily deploying my company’s platform, which is a cloud environment, such as a VPC and EKS cluster, with a suite of open-source tools that gets deployed to Kubernetes. I’ve ran into a dilemma and I’m not sure how to proceed. I’m trying to make use of the Kubernetes provider’s “CustomResource” resource in order to configure an ArgoCD application custom resource. I’ve hit a snag with that "CustomResource" resource type because one of its arguments doesn't implement Pulumi types, specifically the

OtherFields

field, ref. Because of that, I can’t pass it a Pulumi type for a value. This is an issue for me because my custom resource needs to support resource dependencies for a

dependsOn

to work, but as far as I know Pulumi’s provider type checking requires that fields implement Pulumi types if a resource is to have dependencies. Implementing plain types when my provider’s resource has a

dependsOn

results in an error like the following:

error: program failed: waiting for RPCs: rpc error: code = Unknown desc = setting args: copying input "spec": application.ArgocdAppArgs.Spec is typed as map[string]interface {} but must be a type that implements pulumi.Input or pulumi.Output for input with dependencies

Which seems to originate from here: https://github.com/pulumi/pulumi/blob/master/sdk/go/pulumi/provider.go#L564. Which seems odd that this is even a problem, because my dependency is simply a

dependsOn

, not an actual field dependency. So with all of that backstory laid out, my main questions are: How do I pass a pulumi type to a resource that implements a plain type? If that’s not possible, is it possible to get around the pulumi provider type checking that is requiring all fields to implement pulumi types when there are dependencies?

Hey is it possible to deploy a local cluster using minikube/kind/k3s using pulumi?

Pulumi keeps overwriting

.kube/config

on

pulumi up

. How do you make it not touch the file?

👋 quick q for yall - we’re using the helm.v3 construct, but the chart we’re consuming wraps an entire resource template with:

if (.Capabilities.APIVersions.Has <some-api-resource-version>)

which always fails, bc apparently this check returns false. is there a known way for pulumi-k8s operators to work around this, specifically around hydrating

.Capabilities

? https://github.com/pulumi/pulumi-kubernetes/issues/196

Hello, i'm disabled the default k8s provider, and now i'm getting the following error when running the code below:

let secrets: pulumi.Output<output.core.v1.ObjectReference[]> = k8s.core.v1.ServiceAccount.get("ksa-".concat(ksa.name),resourceId).secrets;

error: Error: failed to read resource #thx/shared-db-password 'ksa-shared-db-password' [kubernetes:core/v1:ServiceAccount]: 2 UNKNOWN: Default provider for 'kubernetes:core/v1:ServiceAccount' disabled. 'kubernetes:core/v1:ServiceAccount' must use an explicit provider.

looking at the

k8s.core.v1.ServiceAccount.get

api it doesn't allow you to set the k8s provider. i believe this is the same issue as https://github.com/pulumi/pulumi-kubernetes/issues/1945 ?

Hey Pulumi friends, did anyone face warnings about

client-side throttling

? If yes - How did you get rid of them? I keep getting spammed with messages like this during provisioning of my cluster(s):

Diagnostics:
  pulumi:pulumi:Stack (development-localhost):
    I0602 12:31:12.623746   98885 request.go:665] Waited for 1.044442038s due to client-side throttling, not priority and fairness, request: GET:<https://127.0.0.1:6443/api/v1/namespaces/harbor>
    I0602 12:31:23.024342   98885 request.go:665] Waited for 1.019069815s due to client-side throttling, not priority and fairness, request: GET:<https://127.0.0.1:6443/api/v1/namespaces/minio>
  [..]

I found several reports to delete and/or

chown

the

~/.kube/cache

directory. This did not help for me. Any ideas?

how do you guys maintain docker image versions in deployments and helm charts? let’s say I use Operator to deploy a stack, I want something to open PRs on git to keep my image versions current like an SCA like renovate or snyk but for my pulumi code

Hi all, I'm wondering if something already exists for splitting up Pulumi components for Kubernetes into different repositories and enabling/importing them on demand?

For example, if you wanted to enable a Cilium CNI component on a cluster but not Istio

I'm about to start writing a framework that does pretty much exactly this but it seems like somewhat of a common need so I'm interested if anyone has come up with something like it

A team have got into some kind of mess that I try to help out resolving. Everything started with this error:

resource complete event returned an error: failed to verify snapshot... refers to unknown provider

I checked the stack with a stack export, and the provider urn on the kubernetes resources seemed to use another id than what was specified on the actual kubernetes provider. So I modified those resources to have the right id (not sure if that is the right thing to do). That gave me another issue:

error: resource xxx was not successfully created by the Kubernetes API server : services "xxx" already exists

So then I thought I can just import those resources to my stack, so I added the import property to all the resources I had this issue. That didn't work either, I'm now back at:

error: Preview failed: unknown provider

So it complains on the provider missing. Looking at the stack and it seems like the provider id has changed, but not on all the resources. Do I just update the stack so everything aligns and hope for the best?

Hi all, I'm using the helm/v3 (plugin

v3.19.2

to install a local chart with golang, and I'm struggling a little with an unhelpful error...

❯ pulumi up
Previewing update (poc):
     Type                              Name                  Plan     Info
     pulumi:pulumi:Stack               arges-theila-poc-poc           
     └─ kubernetes:<http://helm.sh/v3:Release|helm.sh/v3:Release>  arges-tim                      1 error
 
Diagnostics:
  kubernetes:<http://helm.sh/v3:Release|helm.sh/v3:Release> (arges-tim):
    error: unrecognized type: string

Hi guys, asked this in the python channel but I am having an issue ignoring the version of a helm chart. This is what I am trying that fails:

rabbitmq_chart = Chart(
    'rabbitmq-chart',
    ChartOpts(
        resource_prefix=stack_name,
        chart='rabbitmq',
        version="8.16.2",
        fetch_opts={'repo': '<https://charts.bitnami.com/bitnami>'},
        values={},
    ),
    ResourceOptions(provider=k8s_provider, ignore_changes=['version'])
)

Hi guys i am using python, how can i make pulumi k8s pull images from a private repo on amazon ecr?

can i somehow configure pulumi to use the kubectl created secret so it would pull from the relevant repo?

What's the most efficient way to import existing resources in a Kubernetes cluster?

I'm hoping to query a list of namespaces and populate RoleBindings with those namespaces. Any ideas on how to implement? I found the

pulumi query

, but I'd like it to execute at

pulumi up

. I tried

pulumi query

anyways and I get some odd errors -

pulumi query
Error: Program run without the Pulumi engine available; re-run using the `pulumi` CLI

CLI output seems to break badly even with a very large terminal - is this a known issue?

It's difficult to see the actual state of resources being created

not sure if this is the right spot but - we’re using

pulumi_eks

and in modifying an existing cluster’s

VpcCniOptionsArgs

, we’re getting this message in CI/CD (which we’ve never needed

kubectl

to run)

Diagnostics:
  eks:index:VpcCni (cluster-name):
    error: Could not set VPC CNI options: kubectl is missing. See <https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl> for installation instructions.

does anyone know what we might be missing (other than installing kubectl in our remote runners, which seems wrong to do)

I'm trying to create an ingress for an application using

new k8s.networking.v1.Ingress

and am failing the

pulumi up

with this error:

kubernetes:<http://networking.k8s.io/v1:Ingress|networking.k8s.io/v1:Ingress> (api-ingress):
    error: resource test/api-ingress was not successfully created by the Kubernetes API server : admission webhook "vingress.elbv2.k8s.aws" denied the request: invalid ingress class: <http://IngressClass.networking.k8s.io|IngressClass.networking.k8s.io> "alb" not found

The way I have set it up is extremely similar to this blog post: https://www.pulumi.com/blog/kubernetes-ingress-with-aws-alb-ingress-controller-and-pulumi-crosswalk/ Does anyone have any idea what is going wrong?

Crossposted from #typescript https://pulumi-community.slack.com/archives/CJ909TL6P/p1654836300810979